如何在 Indy 10 中启用完美前向保密？

Question

我在 Delphi 2010 年使用 OpenSSL 1.0.2o 和 Indy 10.6.2。

这是我目前所做的：

procedure TServerForm.FormCreate(Sender: TObject);
var
  LEcdh: PEC_KEY;
  FSslCtx: PSSL_CTX;
  SSL: PSSL;
  FSSLContext: TIdSSLContext;
begin
  //mServer.Active := True;
  FSingle:=TCriticalSection.Create;
  appdir := ExtractFilePath(ParamStr(0));
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile := appdir + 'EccCA.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := appdir + 'EccSite.key';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := appdir + 'EccSite.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.DHParamsFile := appdir + 'dhparam.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList := 
    //'ECDHE-ECDSA-AES128-GCM-SHA256:' +
    'ECDHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES256-GCM-SHA384:' +
    //'ECDHE-ECDSA-AES256-GCM-SHA384:' +
    //'DHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES128-SHA256:' +
    //'DHE-RSA-AES128-SHA256:' +
    //'ECDHE-RSA-AES256-SHA384:' +
    //'DHE-RSA-AES256-SHA384:' +
    //'ECDHE-RSA-AES256-SHA256:' +
    //'DHE-RSA-AES256-SHA256:' +
    'HIGH:' +
    '!aNULL:' +
    '!eNULL:' +
    '!EXPORT:' +
    '!DES:' +
    '!RC4:' +
    '!MD5:' +
    '!PSK:' +
    '!SRP:' +
    '!CAMELLIA';

  MServer.IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
  mServer.Active := True;
  //FSSLContext := TIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);
end;

This 无效。

大家有好的建议吗？

Answer 1

首先，确保将 Indy 版本更新到最新的 SVN 快照。在 previous discussion 我在 Embarcadero 论坛上与 Roberto Frances 讨论后，我将 SSL_CTRL_SET_ECDH_AUTO 和 SSL_CTX_set_ecdh_auto() 添加到 Indy 的 IdSSLOpenSSLHeaders 单元。

因此，其他讨论中的代码中唯一缺少的部分是 TMyIdSSLContext 的定义，我假设它就是这样的：

type
  TMyIdSSLContext = class(TIdSSLContext)
  end;

由于 TIdSSLContext.fContext 成员被声明为 protected，声明 TMyIdSSLContext 的单位可以访问 TIdSSLContext 的受保护成员。因此，您的代码可以如下所示：

type
  TMyIdSSLContext = class(TIdSSLContext)
  end;

procedure TServerForm.FormCreate(Sender: TObject);
var
  FSSLContext: TMyIdSSLContext;
begin
  FSingle := TCriticalSection.Create;
  appdir := ExtractFilePath(ParamStr(0));
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile := appdir + 'EccCA.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := appdir + 'EccSite.key';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := appdir + 'EccSite.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.DHParamsFile := appdir + 'dhparam.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList := 
    //'ECDHE-ECDSA-AES128-GCM-SHA256:' +
    'ECDHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES256-GCM-SHA384:' +
    //'ECDHE-ECDSA-AES256-GCM-SHA384:' +
    //'DHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES128-SHA256:' +
    //'DHE-RSA-AES128-SHA256:' +
    //'ECDHE-RSA-AES256-SHA384:' +
    //'DHE-RSA-AES256-SHA384:' +
    //'ECDHE-RSA-AES256-SHA256:' +
    //'DHE-RSA-AES256-SHA256:' +
    'HIGH:' +
    '!aNULL:' +
    '!eNULL:' +
    '!EXPORT:' +
    '!DES:' +
    '!RC4:' +
    '!MD5:' +
    '!PSK:' +
    '!SRP:' +
    '!CAMELLIA';

  MServer.IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
  mServer.Active := True;

  FSSLContext := TMyIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);
  SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);
end;

如何在 Indy 10 中启用完美前向保密？

How to enable Perfect Forward Secrecy In Indy 10?

https

openssl

delphi-2010

indy10

tls1.2